Usage notes - Amazon DynamoDB
Services or capabilities described in Amazon Web Services documentation might vary by Region. To see the differences applicable to the China Regions, see Getting Started with Amazon Web Services in China (PDF).

Usage notes

This section describes the technical differences between on-demand backups managed by Amazon Backup and DynamoDB.

Amazon Backup has some different workflows and behaviors than DynamoDB. These include:

Encryption - Backups created with the Amazon Backup plan are stored in an encrypted vault with a key that is managed by the Amazon Backup service. The vault has access control policies for additional security.

Backup ARN - The backup files created by Amazon Backup will now have an Amazon Backup ARN, which could impact the user permission model. Backup resource names (ARNs) will change from arn:aws:dynamodb to arn:aws:backup.

Deleting backups - Backups that are created with Amazon Backup can only be deleted from the Amazon Backup vault. You will not be able to delete Amazon Backup files from the DynamoDB console.

Backup process - Unlike DynamoDB backups, backups made with Amazon Backup are not instantaneous.

Billing - Backups of DynamoDB tables with Amazon Backup features are billed from Amazon Backup.

IAM roles - If you're managing access through IAM roles, you will also need to configure a new IAM role with these new permissions: 

"dynamodb:StartAwsBackupJob", 
"dynamodb:RestoreTableFromAwsBackup"

dynamodb:StartAwsBackupJob is needed for a successful backup with Amazon Backup features, and dynamodb:RestoreTableFromAwsBackup is needed to restore from a backup made with Amazon Backup features.

To see these permissions in a complete IAM policy, see Example 8 in Using IAM.